Observations on articles I read to keep current about technology. My interests are: Privacy, security, business, the computer industry, and geeky stuff that catches my eye.

I don't think I have an agenda beyond my own amusement.

Note that I lump all my comments into a single post. This is not a typical BLOG technique, It's just an indication that I'm lazy.

Saturday, May 22, 2010

As the judicial system starts to use/depend on technology, access to that technology will become critical. I have to side with the Judge here. This was at minimum highly disruptive. Could it have blocked the flow of documents to or from the Judge to the extent that deadlines were missed or stays of execution? I could probably come up with many nasty scenarios.

A federal appeals court has overturned a criminal contempt citation and 30-day sentence issued to a civil litigant who urged his followers to e-mail the judge presiding over the case.

The case tested the reach of judicial contempt authority (.pdf) in the digital age. The 7th U.S. Circuit Court of Appeals said Thursday that, generally, it did not extend beyond the courtroom.

The brouhaha began in February, when TV pitchman Kevin Trudeau asked his radio and web followers to deluge U.S. District Judge Robert Gettleman with e-mail so he would side with him in a civil lawsuit.

The Chicago judge’s inbox was flooded with hundreds of messages, and his Blackberry froze. He promptly found Trudeau — who was being sued by the Federal Trade Commission — in contempt of court and sentenced him to jail. The term was stayed pending appeal.

The legal question at issue focused on whether contempt of court can occur in a court’s virtual presence.

“Because the conduct occurred outside the judge’s presence and, rather than being forced to stop proceedings by Trudeau’s behavior, the judge had to actually convene proceedings in order to get Trudeau before the court, summary contempt should never have been an option here,” (.pdf) the Chicago-based appeals court ruled.

Because the contempt citation was so unusual, the court left open the possibility for Judge Gettleman to refer the case to federal prosecutors, which would allow Trudeau a chance to defend himself against the charges.

During oral arguments in the case last month, the judge’s attorney, Gary Feinerman, told the three-judge appellate court that computers are part and parcel to a judge’s courtroom.

“The court, at that point, was under attack,” Feinerman argued, according to the Chicago Sun-Times. He said U.S. Marshals are examining the messages to see if any are threatening.

Kimball Anderson, Trudeau’s lawyer, argued his client could only be sanctioned for courtroom behavior, and only if it affects the “administration of justice.”

Facebook likely will be hauled before a federal judge in Canada by the fall for thumbing its nose at the country’s privacy watchdog, online privacy experts predict.

The furor over privacy settings and how the social networking shares personal information with outside companies has been growing for the past few months, with Canada’s privacy commissioner Jennifer Stoddart now speaking openly about the possibility of a fresh investigation into Facebook for new violations of Canada’s private sector privacy act.

“Although they’ve done some things right, in a few areas, they seem to have gone in the opposite direction, and that’s been disappointing,” spokeswoman Anne-Marie Hayden said Friday.

"Amid the uproar over Facebook's privacy maneuvers, Tim O'Reilly offers a contrarian view. He writes: 'The essence of my argument is that there's enormous advantage for users in giving up some privacy online [Sharing information is one thing, losing control of that information is another. I give you my credit card ONLY to pay for a single transaction. If you use it for anything else, I'll sic Guido on you! Bob] and that we need to be exploring the boundary conditions — asking ourselves when is it good for users, and when is it bad, to reveal their personal information. I'd rather have entrepreneurs making high-profile mistakes about those boundaries, [I'd rather have them THINK about what could go wrong and explain the risks to customers before asking them to Opt-In. But that's too much work for the Marketing Department. Bob] and then correcting them, than silently avoiding controversy while quietly taking advantage of public ignorance of the subject, or avoiding a potentially contentious area of innovation because they are afraid of backlash. It's easy to say that this should always be the user's choice, but entrepreneurs from Steve Jobs to Mark Zuckerberg are in the business of discovering things that users don't already know that they will want, and sometimes we only find the right balance by pushing too far, and then recovering.'"

Google began offering an encrypted option for Web searchers on Friday and said it planned to roll it out for all of its services eventually.

People who want to use the more secure search option can type "https://www.google.com/" into their browser, scrambling the connection so the words and phrases they search on, and the results that Google displays, will be protected from interception.

… The encryption protects only data in transit between an individual's browser and the Google search server. When people click on a search result and are directed to another Web site, they leave the encrypted channel.

Offering encrypted connections to Google.com means that users in China and other regimes that engage in significant surveillance will--assuming the connection is not blocked in the first place--be able to conduct searches without governments knowing the search terms.

Would you like your doctor to discuss your treatment on Facebook? Why would Twitter be any better? Looks like another “can of worms” area of the law.

… American Well partnered with Microsoft to use its HealthVault EMR service, which allows patients to securely store their entire medical history online. Test results and radiological images can also be uploaded to the online records. Patients control access to their information and must specify who can see the records. Google Health is another popular online EMR service also being used to access patient information online.

BlueCross and BlueShield of Minnesota makes the online patient services available to employers, who then offer it to employees. There is a $10 or $20 co-payment fee for members, and nonmembers can use the services for $50 per session. In other states, however, BlueCross and BlueShield offers the services to any member, regardless of employer.

… Jeff Livingston, an obstetrician and gynecologist in Irving, Texas, said his 10-doctor practice has about 600 Facebook fans and more than 1,500 Twitter followers. They not only use the social networking service to communicate through text messaging, but can read and comment on postings about birth control, breast feeding and a variety of other health care topics.

New mothers also share baby photos through a popular Facebook community page created by patients [How secure would that be? Bob] of his practice, MacArthur OB/GYN. And MacArthur OB/GYN’s Facebook fans can connect with one another through the social networking site to discuss their own experiences with medical procedures.

… Livingston said that he is well aware of potential privacy issues but feels that the issue is really much ado about nothing.

“To me, it’s very simple and not controversial, but people like to make it controversial,” he said. “You cannot diagnose, treat or discuss any personal health information in a nonsecure environment. So if a patient asks me a very specific question on Facebook, I cannot answer it legally.” [Even to save a life? Bob]

You no longer need to buy a Politician (they're cheap, but the maintenance is costly) Now you can supply him with pre-written laws (and talking points) that make him look like he understands the topic! Of course, this works both ways... Right Mr. Gore?

The American Legislative Exchange Council (ALEC) has secretly taken millions of dollars in corporate money to infiltrate state legislatures and push legislation that, amongst other anti-consumer measures, would give complete immunity to asbestos manufacturers and undermine recently-passed health care reform, according to a new report released today.

This seems to have been a website in Beta. They claim they didn't actually have photos but were going to provide links to them. Coupled with a face recognition tool, this might have been an interesting site for scandal mongers...

"In what must be one of the largest attempts to scrape images from the Web, the site ImageLogr.com 'claims to be scraping the entire "free web" and seems to have hit Flickr especially hard, copying full-sized images of yours and mine to their own servers, where they are hosting them without any attribution or links back to the original image in violation of all available licenses on Flickr.' The site even contains the option to directly download images that ImageLogr has scraped. What makes this endeavor so amazing is that it isn't a case of 'other people gave us millions of infringing images, help us remove the wrong ones,' but one of 'we took all the images on the Web; if we got one of yours, oops!' The former gets some protection from the DMCA, whereas the latter is blatant infringement. ImageLogr's actions have caused a flurry of activity, and the site's owners have subsequently taken it offline, displaying the following message: 'Imagelogr.com is currently offline as we are improving the website. Due to copyright issues we are now changing some stuff around to make people happy. Please check back soon.'"

Another wave of computerization: from Mainframes, which ran applications for the entire organization; to Mini-computers which could support a single department; to microcomputers supporting a single user – now we can use the cloud to do any or all of those things at the same time.

With all of the talk about Android, the open Web, and video taking place at this week's Google I/O conference, big software vendors could have easily been lulled into underestimating how much Google is actually targeting enterprises with new and updated offerings.

That would be a mistake.

Google has become such a prolific creator of technology that suits its own business needs, somewhere down the line it crossed over into the future of the enterprise, or at least a version of the future--one that develops software to consume and manage IT services and resources without having to build your own infrastructure.

… And really, cloud is far more about users than it is vendors. As Forrester Research's James Staten wrote recently, "cloud computing isn't your future--it's a new part of your overall IT portfolio." It's the ability to use cloud services to augment your environment that matters to users. Services such as Amazon EC2, AppEngine, and Rackspace Cloud are all just extensions of your infrastructure.

School Spy Program Used on Students Contains Hacker-Friendly Security Hole

By Kim Zetter May 20, 2010 4:09 pm

A controversial remote administration program that a Pennsylvania school district installed on student-issued laptops contains a security hole that put the students at risk of being spied on by people outside the school, according to a security firm that examined the software.

The LANrev program contains a vulnerability that would allow someone using the same network as one of the students to install malware on the laptop that could remotely control the computer. An intruder would be able to steal data from the computer or control the laptop webcam to snap surreptitious pictures.

… In the hack demonstrated in the video below, Leviathan researcher Joel Voss is seen intercepting communication between a LANrev computer and its server, and then impersonating the server to install a remote control program that gives him complete and surreptitious control over the machine. He can operate its web camera to capture imagery of the person sitting in front of the machine.

A former Tunkhannock Area High School student accused school and Wyoming County law enforcement officials of violating her privacy rights by seizing and searching her cell phone and punishing her for storing nude and semi-nude photos of herself on the device.

The woman, who was a 17-year-old senior at the time, contends in a civil rights suit filed Thursday that the intimate photos were intended to be viewed “only by herself and, perhaps, her longtime boyfriend.” She is seeking unspecified damages and the destruction of all electronic and hard copies of the photos.

[...]

The woman was a schoolmate of three girls who sued when they were threatened with prosecution by former District Attorney George Skumanick after photos of them in various states of undress were circulated among Tunkhannock Area students in 2008. In April, a federal judge barred prosecutors from pursuing charges in the “sexting” case.

For the first time in 7 years, The Identity Theft Resource Center (ITRC)® can state that it is encouraged by the findings of the Identity Theft: The Aftermath 2009™. It is becoming clear that some areas of great distress in the past have become less worrisome for the victims. This is true in terms of victim time involvement, cost to victim, support from friends, level of satisfaction in interactions with law enforcement, and fewer negative consequences.

Victim hours repairing damage: Victims reported spending an average of 68 hours repairing the damage done by identity theft to an existingaccount used or taken over by the thief, down from an average of 76 hours in 2008. In cases where a new account, criminal, governmental or a combination of several situations were involved, respondents reported an average of 141 hours to clean up the fraud. This is a significant decrease from the average of 265 hours in 2008.

Costs to victim: Respondents in 2009 spent an average of $527 dollars in out-of-pocket expenses for damage done to an existingaccount. This is down from the $741 reported in 2008.

Important Relationships: In 2009, 44% of the respondents indicated support from friends, while only 9% said friends were not supportive.

Unfortunately, the 2009 Aftermath, once again, shows a number of negative issues that victims continue to encounter. Check fraud is on the increase, along with cases involving governmental and criminal identity theft issues. The moment of discovery of the case continues to be adverse, indicating that the public and business sections have been less successful in proactive measures to stop identity theft crimes before they happen or become complicated. In addition, the victim’s inability to easily resolve negative records continues to be a stated point of frustration and source of anger, including short-term and long-term emotional impact.

Inability to clear negative records: Unfortunately, while victim time involvement may have decreased, there continues to be an inability to easily clear negative records. Nearly 1/3 of the respondents were unable to remove any negative items.

Victim discovery of crime: It is disturbing to note that self-proactive measures decreased from 2008, despite growing educational efforts nationwide to enhance consumers’ knowledge of this issue. It is equally disturbing that business-proactive measures reflect only a nominal increase.

Uses of victim information: Opening new lines of credit continues to remain the most frequently occurring use for a victim’s identity (55%). Ranking second in use of personal information are charges on stolen credit cards and debit cards at 34%. Check fraud continued to reflect an increase in 2009 either by synthesizing or theft of checks.

Since 2003, the ITRC has conducted annual victimization surveys to study the impact of identity theft crimes on its victims. The goal of these surveys and reports, now with seven years of information, is to view identity theft from the victim’s perspective. These annual studies provide a snapshot of each victim at the time they took the study.

Other general highlights include:

Prevalence of types of identity theft crimes: The “unlawful use of personal identifying information” for only financial identity theft crimes was reported by 74% of the respondents. The remaining 26% reflect cases of criminal identity theft, governmental identity theft, and/or combinations of the above.

Child identity theft: Responses indicate a shift in criminal behavior relation to child identity theft from family members to unknown perpetrators.

Emotional Impact: Dr. Charles Nelson (crime victim specialist), analyzed the short term and long term emotions felt by victims. He reached the following conclusions:

Despite media coverage and education about identity theft, the public still believes this happens to someone else. Thus, when this crime touches their lives, disbelief and denial are intensified, followed by anger and rage, similar to the stages of grief.

The ITRC is seeing an increase in long term shame, embarrassment, a sense of being an outcast, and undeserving of help. This may be due to strong consumer messaging about protecting yourself from identity theft.

Many victims “have on-going symptoms and do indicate that they are wrestling with long term dysfunctional changes in their behavior and thought patterns.”

… As the service's engineers built more and more tools that could uncover such insights, Zuckerberg sometimes amused himself by conducting experiments. For instance, he concluded that by examining friend relationships and communications patterns he could determine with about 33 percent accuracy who a user was going to be in a relationship with a week from now. To deduce this he studied who was looking which profiles, who your friends were friends with, and who was newly single, among other indicators.

(Related) The technology behind Behavioral Advertising can be used for other purposes...

Can software catch a cyberspy’s tricky intentions, before he’s started to help the other side? The way-out researchers at Darpa think so. They’re planning a new program, “Suspected Malicious Insider Threat Elimination” or SMITE, that’s supposed to “dynamically forecast” when a mole is about to strike. Also, the code is meant to flag “inadvertent” disclosures “by an already trusted person with access to sensitive information.”

MySpace, Facebook and a half dozen other companies just screwed up. Big time.

Posted by Brad McCarty Follow Brad McCarty on twitter on May 21st, 2010

This is, to put it very lightly, not good. The Wall Street Journal is reporting that some of our largest fears have been realized. All of those promises that sites such as MySpace and Facebook have made regarding the safety of our personal information has been proven to be nothing but cheap talk.

… According to the article:

“Several large advertising companies identified by the Journal as receiving the data, including Google Inc.’s DoubleClick and Yahoo Inc.’s Right Media, said they were unaware of the data being sent to them from the social-networking sites, and said they haven’t made use of it.”

… Search Engine Land had a great article that talked about the convergence between privacy and advertising.

Did you know you could make Google search for faces only, by adding a small bit of code? When you go to Google Image Search, enter your query and then add “&imgtype=face” (without the quotes of course) to the end of the URL. It will give you similar results as facesearch above.

"Consumer Watchdog today formally launched its new Website, Inside Google, to focus attention on the company’s activities and hold Google accountable for its actions. The nonpartisan, nonprofit public interest group is launching Inside Google to educate the public and opinion leaders about Google’s dangerous dominance over the Internet, computing and consumers’ online lives. Inside Google’s blog is authored by experienced consumer advocates and journalists working to expose the “black box” at Google with an eye towards holding Google engineers accountable to social mores, ethical customs and the rule of law."

Isn't this like the fingerprint database (until they start deporting people with undesirable DNA)

"Millions of Americans arrested for but not convicted of crimes will likely have their DNA forcibly extracted and added to a national database, according to a bill approved by the US House of Representatives on Tuesday. By a 357 to 32 vote, the House approved legislation that will pay state governments to require DNA samples, which could mean drawing blood with a needle, from adults 'arrested for' certain serious crimes. Not one Democrat voted against the database measure, which would hand out about $75 million to states that agree to make such testing mandatory. ... But civil libertarians say DNA samples should be required only from people who have been convicted of crimes, and argue that if there is probable cause to believe that someone is involved in a crime, a judge can sign a warrant allowing a blood sample or cheek swab to be forcibly extracted."

A simple illustration of who is doing what. More informative than those simple bar charts I've been showing my Statistics students.

Page Easy is a tool that you can use in order to build a temporary web page. This can be used by those who don’t have a blog and who can’t be bothered to get one, and also by the ones who want an alternative to HTML email.

Using this site you can easily host a video online, or any picture that you want others to see without needing to be a programmer. As a matter of fact, you don’t have to type a single line of code - uploading a file is as easy as uploading an attachment when sending out an email.

MasterCard Worldwide today announced it has reached a settlement with Heartland Payment Systems (Heartland) to resolve claims by MasterCard and its issuers in connection with Heartland’s previously announced data security breach.

The settlement agreement calls for Heartland to fund up to $41.4 million of “alternative recovery offers” [Translation: I'll give you this if you promise not to sue. Bob] to be made to eligible MasterCard card issuers to settle their claims for operational costs and fraud losses alleged to have been incurred by them as a result of the breach. Issuers accepting their offers must agree to certain terms and conditions.

In the wake of an information breach affecting nearly 1 million people, executives at BlueCross BlueShield of Tennessee have many lessons to share and plenty of advice to offer.

On Oct. 2, 2009, someone stole 57 unencrypted hard drives from servers at a call center the insurer had recently closed. So far, there have been no arrests, nor any evidence of fraud committed, the company reports.

[...]

Among the actions the Tennessee plan has taken and the lessons it has learned are:

Encryption should be applied widely, including on servers. [Theft of encrypted data is not a Breach! Bob]

Appointing a chief security officer [Find someone other than Senior Management to blame! Bob] helps to ensure coordination of all security efforts.

Organizations should carefully assess how long to store information. [Have a Records Retention Policy! Bob]

In preparing a breach notification plan, be sure to prepare a pre-selected list of vendors that can help with various tasks. [Avoid vendors who are too expensive and those whose services suck! Bob]

Train customer service representatives to deal with breach-related questions from the public.

Communicate frequent updates on breach investigations through the media and a Web site.

Read more on HealthInfoSecurity.com. Interestingly, one of the lessons that I think everyone should have learned from this incident is not included in their list: think about recording calls for quality assurance purposes and ensure you have a way to retrieve PII and PHI if need be — and securely destroy such data on a frequent and regular basis. BCBS spent extraordinary time trying to figure out what was on the audio tapes. Of course, if strong encryption is used, some of that might not be necessary.

Earlier today, I posted a link to a TechCrunch story by Robin Wauters about how Pennsylvania Attorney General Tom Corbett, now the Republican candidate for Governor, had a grand jury subpoena Twitter to appear before the grand jury to “testify and give evidence regarding alleged violations of the laws of Pennsylvania.” As part of the subpoena, Twitter is to provide “any and all information” pertaining to two Twitter accounts, @bfbarbie and @CasaBlancaPA. Both of those accounts, and their companion blog, CasablancaPA, have been the source of frequent criticism of Corbett.

Not surprisingly, the blogosphere is lighting up over this subpoena, with most commenters speculating that Corbett is abusing his office and power to uncover the names of people who have anonymously criticized him. For his part, Corbett has not made any statement about the nature of the investigation or what Pennsylvania laws might have been violated. As WTAE reports:

During a Wednesday afternoon campaign rally at the Allegheny County Airport in West Mifflin, Corbett told Channel 4 Action News, “I can’t comment on that right now. That’s something that it’s a grand jury matter.” But Corbett did say the legal action is not about targeting people on Twitter who say things that he doesn’t like. Instead, he said this is related to an investigation.

Corbett was also quoted as saying:

“I don’t care about Twitter. If people — they twitter all the time. You know, I read it once. In fact, I only read — my only use of Twitter was to watch what you guys were saying during the (Bonusgate) trial. That’s how I kept on top of it day by day.”

So why, then, does Corbett want to know the identities of the two Twitter account holders? What did they tweet in 140 characters that is relevant to the grand jury? And if it was their blog entries that contain information relevant to an investigation, why not subpoena the account information on the blog? Is Corbett gambling that Twitter won’t put up as much of a fight as Google would?

And did Corbett inform the grand jury that he was asking them to subpoena the information on two people who had been highly critical of him?

Vic Walczak, of the ACLU’s Pittsburgh office, told Channel 4 Action News that the organization expects to get involved in this case.

“Attorney General Corbett’s subpoena to Twitter for identity information about people who have been criticizing him raises grave concerns about abuse of the grand jury process to retaliate against political critics and opponents, a most serious First Amendment violation,” Walczak said. “People in this country have a right to criticize government officials and to do so anonymously, as did Thomas Payne and the authors of the Federalist Papers.”

Matt Zimmerman of the Electronic Frontier Foundation also has concerns based on what’s been publicly revealed. In a statement to PogoWasRight.org, Zimmerman noted that EFF has had frequent concerns about attempts to unmask anonymous Does because of critical speech, but

the concerns are heightened even more in this context, when you have the chief law enforcement officer of the state going after people who said mean things about him. It doesn’t look very good.

Zimmerman notes that things may not be what they seem, however, and that “we may all be wrong.”

Has there been an abuse of power or abuse of process? Without more facts, it is impossible to know. What is clear to this blogger, however, is that at the very least, Corbett has a serious public perception problem over the use of his police power in this case.

For its part, Twitter has apparently notified the account holders so that they can fight the subpoena, and the bloggers note that they are trying to arrange for legal representation.

Julian Assange, the founder of the whistleblower website Wikileaks, has had his passport confiscated by immigration officials when he arrived at Melbourne Airport last week.

According to reports, the passport was returned to him after about 15 minutes, but Assange was told by authorities that his passport was going to be cancelled because it was looking worn.

But Assange told the Australian current affairs programme Dateline that he has since received a letter from the Australian Communication Minister Steven Conroy's office stating that the the Australian Federal Police (AFP) has been asked to investigate the recent disclosure on Wikileaks of the Australian government's blacklist of banned websites.

"Australian customs officers have been given the power to search incoming travelers' laptops and mobile phones for porn. Passengers must declare whether they are carrying pornography on their Incoming Passenger Card. The Australian government is also planning to implement an Internet filter. Once these powers are in places, who knows how they will be used."

Is this how the Founding Fathers would have written it into the Constitution?

Social network service providers today are in a unique position. They are intermediaries and hosts to our communications, conversations and connections with loved ones, family, friends and colleagues. They have access to extremely sensitive information, including data gathered over time and from many different individuals.

Here at EFF, we’ve been thinking a lot recently about what specific rights a responsible social network service should provide to its users. Social network services must ensure that users have ongoing privacy and control over personal information stored with the service. Users are not just a commodity, and their rights must be respected. Innovation in social network services is important, but it must remain consistent with, rather than undermine, user privacy and control. Based on what we see today, therefore, we suggest three basic privacy-protective principles that social network users should demand:

Interesting. Apparently a rootkit (maybe) on the defendants computer logged everything he did (to send home to the rootkit author?) including his hack of the email. Note to Hackers: Make certain your systems are malware free!

Susan Brenner discusses an aspect of the search warrant and inspection of computer belonging to David C. Kernell, the young man who was subsequently convicted of hacking into Sarah Palin’s e-mail account:

A recent decision from a federal district court addresses an issue I hadn’t seen before: whether searching malware on the suspect’s computer was outside the scope of the search warrant issued for that computer. It seems a narrow issue, and unfortunately the opinion issued in the case doesn’t tell us a whole lot about what happened; but I thought the issue was worth writing about, if only to note that it arose.

Alternative Litigation Financing in the United States: Issues, Knowns, and Unknowns - May 17, 2010, Steven Garber: "Alternative litigation financing (ALF) — also known as “third-party” litigation financing — refers to provision of capital by parties other than plaintiffs, defendants, their lawyers, or defendants' insurers to support litigation-related activity. This paper provides an overview of policy issues related to the legal ethics, social morality, and, especially, potential economic effects of ALF. It provides a snapshot of the only three segments of the ALF industry that appear to be fairly active as of early 2010, all of which provide support to plaintiffs or their lawyers. It offers lessons for policymakers, emphasizing distinctions that are often under appreciated in discussions of ALF. The paper concludes by suggesting that, for the next five to ten years, policymakers might best limit themselves to interventions that do not fundamentally interfere with the potential for increased competition to solve what appear to be important information problems that may limit the contributions of ALF to national economic performance."

"Reducing energy consumption in data centers, particularly with the prospect of a federal carbon tax, is pushing vendors to explore an ever-growing range of ideas. HP engineers say that biogas may offer a fresh alternative energy approach for IT managers. Researchers at HP Labs presented a paper (download PDF) on using cow manure from dairy farms and cattle feedlots and other 'digested farm waste' to generate electricity to an American Society of Mechanical Engineers conference, held this week. In it, the research team calculates that 'a hypothetical farm of 10,000 dairy cows' could power a 1 MW data center — or on the order of 1,000 servers. One trend that makes the idea of turning organic waste into usable power for data centers is the moves by several firms to build facilities in rural locations, where high-speed networks allow them to take advantage of the cost advantages of such areas. But there are some practical problems, not the least of which is connecting a data center to the cows. If it does happen, the move could call for a new take on plug and play: plug and poo."

As you may recall, when invites first started rolling out last September, online users were clamoring to get in to Google Wave. Since then, Google. has made a number of important tweaks to the preview stage product, including e-mail notifications, read-only wave access and undo/redo options.

Wednesday, May 19, 2010

This could be amusing. Google was “sampling” WiFi. How much data could be collected as they drove down your street? The formula would have to include: time of day, speed of the car, security of the WiFi, etc.

Karina Brown reports on what is likely to be only one of many lawsuits filed over Google’s revelation that it inadvertently collected personal information during its Street View operations:

In Portland, lead plaintiff Vicki Van Valin claims Google operates vehicles mounted with “wireless sniffers” that decode Wi-Fi data. She claims Google captured and decoded her Social Security number, banking information, medical records and other personal information, then stored the data on servers where “hundreds if not thousands” of Google employees could see it.

It seems that the plaintiffs claim that because they use an open wi-fi network, and because they transmit personal and sensitive information over it, and because Google has been on their street, then their personal information has been available, without their consent, to “hundreds of thousands” of Google employees.

A German court recently held that wi-fi users had an obligation to secure their network. We have no such law here, but I would pose this to the privacy law scholars who read this site: does a wi-fi user have a reasonable expectation of privacy if they do not secure their wi-fi network? [The term should be “Delusion of Privacy” Bob]

Some schools give Freshmen iPads, Berkeley gives DNA testing? I knew Berkeley was weirdcrazy different, but I don't get this at all...

UC Berkeley is adding something a little different this year in its welcome package — cotton swabs for a DNA sample.

In the past, incoming freshman and transfer students have received a rather typical welcome book from the College of Letters and Science’s “On the Same Page” program, but this year the students will be asked for more.

The students will be asked to voluntarily submit a DNA sample. The cotton swabs will come with two bar code labels. One label will be put on the DNA sample and the other is kept for the students own records.

The confidential process is being overseen by Jasper Rine, a campus professor of Genetics and Development Biology, who says the test results will help students make decisions about their diet and lifestyle.

For those who are interested in the backgrounds and psychological aspects of hackers, Tim Elfrink has an article in the Broward – Palm Beach New Times on Albert Gonzalez, Jonathan James, Christopher Scott, Stephen Watt, names recognizable for their roles in the massive credit card number hacks that became cautionary tales.

Nearly eight months after new rules were enacted requiring stronger protection of health care information, organizations are still leaking such data on file-sharing networks, a study by Dartmouth College’s Tuck School of Business has found.

In a research paper to be presented at an IEEE security symposium Tuesday, a Dartmouth College professor Eric Johnson will describe how university researchers discovered thousands of documents containing sensitive patient information on popular peer-to-peer (P2P) networks.

One of the more than 3,000 files discovered by the researchers was a spreadsheet containing insurance details, personally identifying information, physician names and diagnosis codes on more than 28,000 individuals. Another document contained similar data on more than 7,000 individuals. Many of the documents contained sensitive patient communications, treatment data, medical diagnoses and psychiatric evaluations. At least five files contained enough information to be classified as a major breach under current health-care breach notification rules.

Broad New Treasury Initiative to Increase Electronic Transactions, Save More Than $400 Million, 12 Million Pounds of Paper in First Five 5 Years

News release: "With Americans poised to celebrate the 40th anniversary of Earth Day this week, the U.S. Department of the Treasury today announced a broad new initiative to dramatically increase the number of electronic transactions that involve Treasury and millions of citizens and businesses, a move that is expected to save more than $400 million and 12 million pounds of paper in the first five years alone. In addition to greatly reducing costs, enhancing customer service and minimizing Treasury's environmental impact, the move from paper to electronic transactions will increase reliability, safety and security for benefit recipients and taxpayers... Treasury will require individuals receiving Social Security, Supplemental Security Income, Veterans, Railroad Retirement and Office of Personnel Management benefits to receive payments electronically. Individuals will be able to receive benefits either through direct deposit into a bank account or Treasury's Direct Express debit card."

The lawyers who do most of the jousting over Internet copyright issues were abuzz last week after learning that a federal court judge suggested one of the more prominent among them had advised clients to destroy evidence.

On Wednesday, U.S. District Court Judge Kimba Wood issued a 59-page decision in Manhattan granting summary judgment in favor of the Recording Industry Association of America in its long-running copyright fight against file-sharing service LimeWire. The order opened the door for the top four record companies to force a closure of the service.

In addressing an issue of whether statements made by a former LimeWire executive should be considered by the court, Wood called out Fred von Lohmann, the much-quoted senior staff attorney at the Electronic Frontier Foundation, an advocacy group that fights for the rights of Internet users and technology companies. According to Wood, LimeWire founder Mark Gorton testified that he and former company Chief Technology Officer Greg Bildson received questionable advice from von Lohmann.

… As it is now, Privacy Scanner will check your account’s Instant Personalization settings, which allows Facebook partners to customize their sites based on your public information. In addition to that check, it will also look at personal information, contact information, the information that friends can share about you, as well as the settings within friends, tags, and connections.

The government may have to make sacrifices in such treasured concepts as privacy and sovereignty, so that public sector organisations can take advantage of the “convenience” of the cloud, says a Department of Internal Affairs (DIA) project manager.

Adam Stapleton is managing a project for DIA’s Government Technology Services (GTS) arm, to produce “guidance to allow public sector agencies to reduce the barriers” to adoption of cloud computing services. He spoke at the Future Perfect digital continuity conference, held in Wellington recently.

The current GTS project that Stapleton oversees aims to provide an authoritative definition of cloud computing, track trends in its evolution “and talk about what is the opportunity space tactically for the next one or two years and the constraints – legislation and policy and other [factors] that may preclude some classes of information being used for some types of cloud computing services.

New research by the Electronic Frontier Foundation (EFF) has found that an overwhelming majority of web browsers have unique signatures — creating identifiable “fingerprints” that could be used to track you as you surf the Internet.

The findings were the result of an experiment EFF conducted with volunteers who visited http://panopticlick.eff.org/. The website anonymously logged the configuration and version information from each participant’s operating system, browser, and browser plug-ins — information that websites routinely access each time you visit — and compared that information to a database of configurations collected from almost a million other visitors. EFF found that 84% of the configuration combinations were unique and identifiable, creating unique and identifiable browser “fingerprints.” Browsers with Adobe Flash or Java plug-ins installed were 94% unique and trackable.

“We took measures to keep participants in our experiment anonymous, but most sites don’t do that,” said EFF Senior Staff Technologist Peter Eckersley. “In fact, several companies are already selling products that claim to use browser fingerprinting to help websites identify users and their online activities. This experiment is an important reality check, showing just how powerful these tracking mechanisms are.”

EFF found that some browsers were less likely to contain unique configurations, including those that block JavaScript, and some browser plug-ins may be able to be configured to limit the information your browser shares with the websites you visit. But overall, it is very difficult to reconfigure your browser to make it less identifiable. The best solution for web users may be to insist that new privacy protections be built into the browsers themselves.

“Browser fingerprinting is a powerful technique, and fingerprints must be considered alongside cookies and IP addresses when we discuss web privacy and user trackability,” said Eckersley. “We hope that browser developers will work to reduce these privacy risks in future versions of their code.”

EFF’s paper on Panopticlick will be formally presented at the Privacy Enhancing Technologies Symposium (PETS 2010) in Berlin in July.

This suggests a couple of solutions. One, ensure that your originating error rate is 19.9% so any change sends the rate over the threshold. Two, measure the rate and send the recipient that number – significant deviation is another indicator of intercept.

"Any proof that quantum cryptography is perfect relies on idealized assumptions that don't always hold true in the real world. One such assumption is related to the types of errors that creep into quantum messages. Alice and Bob always keep a careful eye on the level of errors in their messages because they know that Eve will introduce errors if she intercepts and reads any of the quantum bits in a message. So a high error rate is a sign that the message is being overheard. But it is impossible to get rid of errors entirely, so Alice and Bob have to tolerate a small level of error. This level is well known. Various proofs show that if the quantum bit error rate is less than 20 percent, then the message is secure. However, these proofs assume that the errors are the result of noise from the environment. Now, physicists have come up with an attack based on the realization that Alice also introduces errors when she prepares the required quantum states to send to Bob. This extra noise allows Eve to intercept some of the quantum bits, read them and then send them on, in a way that raises the error rate to only 19.7 percent. In this kind of 'intercept and resend attack,' the error rate stays below the 20 percent threshold and Alice and Bob are none the wiser, happily exchanging keys while Eve listens in unchallenged. The physicists say they have successfully used their hack on a commercial quantum cryptography system from the Geneva-based startup ID Quantique."

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.